If you made a list of the technological tools used by multiple software development methodologies, automation would have to be somewhere near the top. Anything that reduces the rote, repetitive work developers, security personnel and others have to handle in the process of app creation is a good thing; combine that with the reduced costs and lower risk that automation usually introduces into a given company's operations, and you have something that can make things easier and more efficient for all involved.
In some ways, that ease is exactly why DevOps and automation mesh so well. Given the methodology's focus on frequent, thorough security scanning of a company's digital assets (both active and in progress), automated security platforms in particular offer numerous solutions in one tiny package.
CA Veracode's case study, entitled "Global 100 Manufacturer Reduces Risk across 30,000 Domains in Eight Days," examines the ways in which a company can employ automation to shore up its security. In light of that document, here's a look at how DevOps and automation can work to make development easier.
Obviously, intangible products such as software aren't going to be built the same way cars, houses and other tangible things are. That fundamental difference goes a long way toward explaining why bugs and other security flaws tend to become nastier and more expensive to fix every day that you let them go unchecked: The things your developers or third-party vendors are coding now depend on what was coded in the past, making it infinitely easier and less expensive to catch errors right away.
Automation works here because it empowers teams to catch many types of security flaws early, including those introduced into work-in-progress software. Instead of waiting on a project to reach a particular state for testing, in other words, automated security platforms check code from every contributor in real time. They don't even need direct access to the source code (a huge perk for companies working with vendors) thanks to such technologies as binary static analysis.
Automation also offers several advantages over traditional testing methods in terms of reaction speed. Where traditional scanning tools are infrequently patched, and even whole teams of in-house personnel may find it hard to keep up with the latest tools and trends among attackers and other black hat types, competent security platforms have their definitions constantly tweaked and set by dedicated security experts. In practice, this means a fix that's been discovered can be sent out to millions of users in the same day, giving companies access to cutting-edge digital security tools no matter what their primary industries may be.
That same idea applies when talking about the consistency of automated platforms — and as you know, a consistent approach is the backbone to effective security management. When experts are providing the definitions, work from multiple different offices (home base, satellite offices, third-party vendors, etc.) is held to the same standards, negating the issues caused when, say, multiple patch versions of the same scanning software are used across a company's various locations, or one security employee's definition of a given bug is different from the rest of the world's.
DevOps puts a big premium on the power of education in the development world, especially the kind that turns regimented roles into multipurpose players, i.e., employees who can step in and perform multiple tasks as demanded by the project's circumstances. Because of this, automation and DevOps also enhance security in a more roundabout way —that is, by identifying an employee's individual shortcomings and recommending appropriate materials to rectify the situation.
Who better to tell an engineer/developer where to improve than the platform examining their work? Pinpointing issues at the individual level ensures all code-producing employees are on the same page regarding security matters. Beyond that, it ensures the training measures a company does offer are disseminated to employees at their most relevant. Regular, one-size-fits-all training is good, after all, but tailored, targeted, automated education offers specific solutions to specific problems. In a time-to-market obsessed industry like development, that's a huge distinction.
Photo Source: Wikimedia Commons